Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
If nettle is faster on signing it means (if we ignore operations mod n), that EC multiplication with the curve generator point is 2x faster on nettle.
Probably a bit more than a factor of two, since the silent modular inversion is likely much slower than openssl's.
The fact that openssl is a bit faster on verification it would mean that nettle is really slower than openssl in multiplying a random point, and adding points on the curve. Could that be?
The point multiplication with the random point takes much longer time than the point multiplication involving the generator. So if we have, say, 40% slowdown for the random point, and 200% speedup for the generator, the net result could still be 20% slowdown. (I made those figures up, but I think they are in the right ballpark).
I guess the penalty for side-channel silence is generally some 10-30%. Except for modinv, where it's even worse.
The reason we get pretty good performance for signing is that I use the Pippenger/comb algorithm for multiplication involving the generator. With current parameters, there's roughly 16 KByte of data for each curve, and multiplication takes n/6 dups and n/6 adds, where n is the bit size. While algorithms like wmNAF may use even fewer adds, but it still needs n dups. And for all the adds, one point is precomputed, so in Jacobian coordinates we have Z=1.
Regards, /Niels